Described below are a method and a computer program product for agreeing between at least one first and one second communication subscriber to a security key for the purpose of securing a communication link.
For third generation mobile radiocommunication systems a method is known, from the 3GPP specifications, according to which a short-term security relationship between a user and a communication network device is derived from the long-term security relationship between a user and a network operator. The long-term security relationship is based on a long-term secret cryptographic key, which is stored in a security module of the user, a so-called UMTS-SIM card (technically more accurately: a USIM application on a UICC card), and in the network operator's authentication centre. From this long-term key, a short-term key Ks is derived by the so-called GBA method (GBA=generic bootstrapping architecture), in that messages are exchanged between a terminal device (UE=user equipment), a computational unit in the communication network (BSF=bootstrapping server function) together with a communication network subscriber's system (HSS=home subscriber system). Using a further key derivation function, this short-term key is used as Ks_NAF to secure communications between a user's mobile communication terminal device and another communication network device (NAF=network application function). The GBA method, which is specified in 3G TS 33.220, is based on the UMTS AKA protocol (AKA=authentication and key agreement). This protocol is specified in 3G TS 33.102, and a mandatory requirement of it is the presence of a USIM application at the user end. Here, the UMTS AKA protocol generates in a secure manner session keys CK and IK, each having a length of 128 bits. As laid down in TS 33.220, the short-term key Ks_NAF, used to secure the communications between a user's mobile communication terminal device and a communication network device, is derived from the session keys CK and IK.
The spread of mobile communication terminal devices conforming to the UMTS standard is, however, still far from being as advanced as the spread of mobile communication terminal devices conforming to the GSM standard. Hence too, SIM cards like those used in every GSM mobile radio telephone are significantly more widespread than the UMTS-SIM cars which are as yet still rarely found. However, even for GSM network operators there is a strong interest in providing GSM users with secure links between a mobile communication terminal device and a communication network device. For this reason, the objective of a current standardization project with the name 2G GBA is to define a method of securing a communication which corresponds to the GBA method and which uses, instead of UMTS-SIM cards and the UMTS AKA protocol, either a SIM card or a SIM application on a UICC card and the GSM AKA protocol.
One reason for pursuing this project is the expectation that a future 2G GBA method, to achieve secure communication from a mobile communication terminal device to a communication network device, will not need to establish a new long-term security relationship with the user. Accordingly, the intention would be to avoid the need to distribute new UMTS SIM cards to the users, something which always has high associated costs for the network operator. The SIM cards or SIM applications on the UICC card, already available to the users, should thus continue to be used, so that a relationship which already exists between a user and a network operator can be used.
One problem with this is that the GSM AKA protocol offers substantially lower security than the UMTS AKA protocol. Apart from this, the session keys generated by the GSM AKA protocol are for many purposes too short (maximum 64 bits). Furthermore, the session keys are used by insecure algorithms, such as for example the GSM encryption algorithms A5/1 and A5/2. There is therefore a danger that a hacker can find out this session key, and the security of the 2G GBA method could thereby be completely compromised.